Wednesday, December 29, 2010

On Being Honest and Straightforward in Business

Social media is said to be successful primarily due to its communal characteristics that include sharing in an honest and transparent manner. The beauty of social media is that it is a self-regulating and self-correcting medium where the participants, or “community members,” call out other community members whose social media activities have been found to be questionable – particularly those that are trying to use the system to their advantage. According to Paul Gillin in his book, The New Influencers, “millions of writers of all ages, interests, languages and motivations are together forming a set of shared principles, operating standards and behaviors without any kind of central coordination.”


This phenomenon has created a system that places significant value on honest and straightforward communication over salesman-like puffery. As such, organizations with poorly trained or misguided employees that attempt to abuse or mislead the social media community for the benefit of the organization, stand to suffer reputational damage. It is for that reason that organizations must maintain a formal, written social media policy that establishes employee expectations and keeps employee activities consistent with the expectations of the social media community.

Any time an organization’s employees undertake social media activities intended to mislead the community, the organization risks that the social media community will respond in an adverse manner. The social media community may not distinguish between activities made as part of an official company response and those made by an employee on personal time. If the questionable activity appears to be sanctioned by the organization, there may be some form of inflammatory response from the social media community. The danger lies in the potential for the backlash to take on viral characteristics that spread the negative publicity to an extent that causes serious damage to the organization. As such, the policy should be very clear about the need for honest and transparent communication by employees.

Blogger Lisa Brauner describes the concept of honesty and transparency on the Workplace Privacy Counsel blog. Her article entitled “Caveat Employer: Let the Employer Beware of Employee Endorsements on Social Media Websites,” very clearly defines why honesty and transparency are not only a necessity from a public relations perspective, but also from a legal liability perspective.

According to Ms. Brauner, organizations must be aware of the risks posed by employees as a result of product and service endorsements made by employees on social media platforms. Ms. Brauner notes that organizations are subject to the October 2009 Federal Trade Commission guidance (Guides Concerning Use of Endorsements and Testimonials in Advertising), which protects consumers from misleading endorsements and advertising. The Federal Trade Commission guidance makes clear that employers whose employees use social media to make misleading comments regarding their employer’s products or services, face potential liability, even in cases where the employer has no knowledge of the employee’s social media activities.

The Federal Trade Commission guidance states that employees endorsing their employer’s products or services have a duty to disclose to their audience their relationship to an employer at the time they give the endorsement or testimonial. If employees make misleading statements about the employer’s products and services that result in injury to consumers, the Federal Trade Commission may bring an enforcement action against the employer. Ms. Brauner also states that postings on social media platforms can reach wide audiences and as such, employers may be vulnerable to large-scale liability such as class-action lawsuits by consumers and/or legal action by state attorney generals.


For publicly traded companies, honesty and transparency also has implications relative to Rule 10b-5. According to Investopedia.com, Rule 10b-5 is “a regulation formally known as the Employment of Manipulative and Deceptive Practices that was created under the Securities Exchange Act of 1934. This rule deems it to be illegal for anybody to directly or indirectly use any measure to defraud, make false statements, omit relevant information or otherwise conduct operations of business that would deceive another person; in relation to conducting transactions involving stock and other securities.”

The need for transparency and honesty, however, does not mean that employees should disclose confidential company and customer information or proprietary information (e.g., trade secrets, etc.) that can have an adverse effect on the organization. Being honest and transparent does not mean that all information should be shared.

Based upon the public relations and legal risks posed by misleading comments on social media platforms, it is very clear that organizations should develop a formal, written social media policy that ensures that employee interactions are conducted in an honest manner and consistent with the norms of the social media community.

Sunday, December 26, 2010

Social Media Use in the Workplace

One of the most commonly discussed issues regarding social media and business is whether employees should be permitted to access social media platforms during the work day. The Internet is full of debate for and against employee use of social media. Critics state that employee use of social media at work will result in a waste of the organization’s valuable resources as well as potentially endanger the organization. Detractors state that employee use of social media can harm the organization as a result of thoughtless social media interactions that disclose trade secrets and other confidential information. Further, these opponents state that employees also create legal liability as a result of the potential for disparaging, harassing, and other comments that give rise to legal action by fellow employees and third parties.

Proponents of social media acknowledge that risks exist but that the potential benefits outweigh the risks so long as the risks are well managed. Supporters of employee use of social media point to social media’s ability to significantly increase brand awareness in an effective and economical manner. Also touted is the potential that social media has for increasing sales as a result of an effective social media marketing initiative that includes employees as brand ambassadors. Other benefits include increased goodwill for organizations that act in an honest and transparent manner as well as the benefit to the organization for developing a communal environment that listens to the outside world.

Employee use of social media is not right for all organizations. Some organizations may find it beneficial relative to business development, branding, and customer service. On the other hand, organizations may determine that the workforce has no business use for social media. Whether or not an organization embarks on a strategy that permits employee use of social media is dependent upon the organization’s mission, goals, and appetite for risk. To the extent that an organization decides to permit employee use of social media in the workplace, it must ensure that employee social media usage is managed properly.

Employee use of social media can be an extremely effective tool when properly used. Conversely, a poorly managed employee-based social media effort can create nothing but headaches for an organization. Regardless of an organization’s position regarding employee social media use, a formal, written social media policy is essential to protect the organization.

Wednesday, December 22, 2010

Social Media and Insurance

An area of importance that organizations seldom consider when creating a social media policy is insurance coverage. In the minds of most people, insurance policies are maintained for the purpose of protecting physical assets. For example, organizations will insure to protect against property losses incurred due to events such as fires, floods and earthquakes. Notwithstanding the common notion that insurance policies largely protect physical assets, many organizations will also insure to protect against improper acts and omissions through the purchase of policies such as director and officer (D & O) policies. Regardless of the types of policies in place, few organizations consider coverage to protect against outcomes related to social media usage. However, as social media-related lawsuits continue to rise, organizations should develop a formal written social media policy that requires an organization to consider the role that insurance should play in mitigating social media-related risks.

At the outset, it is noted that social media-related lawsuits are rare. These lawsuits, however, do appear to be on the rise. As such, organizations may find it prudent to consider insurance coverage related to social media activities.

For example, consider an organization that monitors employee Internet activity such as social media posts. If that organization determines that based upon an employee’s activity (e.g., derogatory comments targeted at the organization) a termination of employment is deemed appropriate, the organization may be subjected to an invasion of privacy lawsuit for viewing the information. It could also be subjected to an unlawful termination lawsuit based upon a violation of one of the many potentially applicable laws such as the National Labor Relations Act, the Fourth Amendment, or any other similar law that provides employees with protection against action by employers. While lawsuits brought in such instances may not have any merit, the organization must nonetheless spend human and financial resources to deal with the lawsuit. An insurance policy that includes such events may be helpful in offsetting some of the legal expense incurred by the organization.

Legal claims need not only involve employees. Claims may also be brought by third parties. An example is a defamation lawsuit brought forward by a third party based upon derogatory comments made by an employee on a social media platform. Such a lawsuit may assert that the employee was serving in an official capacity on behalf of the organization when the comments were made and as such, the organization is responsible for the damaging comments. Another example may include claims related to the violation of intellectual property rights related to the unauthorized posting of trademarked or copyrighted material on a social media site.

In order to adequately protect against unforeseen social media incidents it is necessary that every organization conduct a risk assessment in order to determine the potential risks related to the organization’s use of social media. It is noted that social media risk potentially exists within every organization regardless of the existence of a formal social media strategy. Risks will vary. Organizations with comprehensive strategies will generally have greater exposure than organizations that limit use of social media. Regardless, every employee that accesses a social media platform can create exposure for the organization. A well-developed formal written social media policy will require the completion of a risk assessment that will assist the organization in determining the types of risks that may arise from social media usage. This process will provide the necessary information regarding the need for social media-related insurance coverage.

Before engaging in the purchase of social media-specific insurance coverage, organizations should analyze existing policies in order to determine the extent to which existing policies cover social media-related risks noted in the social media risk assessment. Such an analysis requires careful scrutiny of each policy’s language to determine if the policy terms, conditions and exclusions may apply to social media-related activities. Since social media is a recent technological tool it is likely that policy terms will not specifically mention “social media.” Policies, however, may refer to the Internet or digital information or make use of other terms that would broadly include social media usage. Organizations should consult with their insurance agent or broker for assistance in determining coverage. Such consultation should include providing the agent or broker with a copy of the social media risk assessment in order to ensure that the organization’s risks are understood by the agent or broker. Lack of understanding by the agent or broker may result in insurance coverage that does not address all the significant risks.

Organizations that take the time to scrutinize their insurance policies will be in the best position to maximize their insurance dollars and ensure appropriate coverage is in place. The devil is in the details. In the case of insurance policies, the devil is in the definition section of the policies. How coverage may apply will depend on the language used. Organizations should keep in mind that such language is negotiable. Organizations should seek to incorporate language that is inclusive of social media activities, if possible during the term of the policy, but certainly at renewal.

According to the Social Media Task Force at Reed Smith LLP in the February 2010 issue of Practical Law: The Journal (PracticalLaw.com), “since claims can raise a variety of issues and take different guises – from common law fraud and misrepresentation claims to invasion of privacy and cyber extortion – looking at an inventory of existing policies with a ‘social media’ lens can assist in seeing and seeking potential coverage that may come into play.”

A formal written social media policy supplemented with a social media risk assessment, provides the tools to ensure that an insurance policy analysis is conducted to maximize return on investment as well as identify gaps that require protection through additional insurance coverage.

Friday, December 17, 2010

Firing An Employee Bad Mouthing the Company on Social Media? Better Think Twice.

As more and more employees lose their jobs for reasons related to social media, more and more social media-related lawsuits fill dockets across America’s courts. Individual, class and union actions have employment law and technology experts paying close attention to these cases to determine the future landscape of social media within the workplace.

According to attorney John R. Lanham, in the January 2010 edition of Morrison Foerster’s (mofo.com) Employment Law Commentary, “employees’ online communications may gain legal protection based on either the privacy or the substance of the communications.” Mr. Lanham’s article brought to light two very real risks for organizations: 1) the growth of social media-related lawsuits; and, 2) current and developing legislation intended to protect employees from employment-related actions on the basis of things said on social media platforms.

In Pietrylo, et al. v. Hillstone Restaurant Group d/b/a Houston’s, two employees of a Hackensack, New Jersey Houston’s Restaurant successfully sued their former employer in an unlawful termination case that stemmed from the employees’ use of social media to disparage the restaurant and its management. In this case, the two employees were terminated for establishing an invitation-only MySpace page for the purpose of allowing employees to vent their dissatisfaction with their employer. Those invited to join the group were existing and former employees – none of which included management.

Management eventually became aware of the MySpace page through an employee that belonged to the MySpace group. The employee provided management with the login ID and password to access the invitation-only MySpace page. In response to the derogatory information posted on the MySpace page about Houston’s management and the company, the two employees that created the MySpace page were terminated for violating the restaurant’s “core values.” The two employees sued Houston’s in federal court and received a favorable ruling in June 2009 when the court found that management had violated the federal Stored Communications Act as well as a comparable state law. The violations were based on the manner in which management gained access to the site. According to the court, the employee that provided management with the user ID and password was perceived to be under duress and feared retaliatory action by management if the user ID and password were not provided.

In another case in October 2010, the National Labor Relations Board (“NLRB”) filed a complaint in Connecticut against American Medical Response of Connecticut, Inc (“AMRC”). The complaint alleges that AMRC violated the National Labor Relations Act (“NLRA”) when it terminated an employee for making disparaging comments on her Facebook page regarding a supervisor. The NLRB alleges that AMRC’s social media policy, which prohibits employees from depicting adversely AMRC in any way on Facebook or other social media sites where pictures of the employees can be posted, violates the NLRA.



The NLRA prohibits employers from punishing workers – whether or not they are union members – for discussing working conditions or unionization. The NLRB claims that this is a case of employees utilizing a social media platform for the purpose of discussing jointly matters related to working conditions, a permissible activity under the NLRA. The NLRB alleges that AMRC’s social media policy was overly broad and denied employees’ right to discuss working conditions among themselves.



These two examples illustrate the challenges that employers currently face in balancing social media risks with human resource risks. According to survey results contained in Proofpoint, Inc.’s (ProofPoint.com) report, “Outbound Email and Data Loss Prevention in Today’s Enterprise, 2010,” the number of firms that reported social media-related terminations in 2010 remained consistent at seven percent compared to eight percent reported in the 2009 survey. However, this figure is nearly double the rate of four percent cited in the 2008 survey. This data suggests that there is definitely a need for organizations to consider the impact that social media will play in managing employees. The challenge for organizations is establishing the appropriate environment in which an organization can justifiably terminate an employee with the confidence of knowing that it will not likely experience a legal backlash.

Another issue related to employee terminations is the topic of reference letters. While many organizations look favorably upon reference letters for terminated employees, some organizations struggle with the issue. Based upon the popularity of social media platforms such as LinkedIn, it is important for organizations to address instances in which reference letters are permitted. In today’s environment it is very likely that a terminated employee will seek an online reference from a past manager or co-worker. In developing a policy statement regarding reference letters, it is important for the organization to convey to employees through training that online recommendations such as those provided through LinkedIn, are equivalent to reference letters. As such, guidance should be provided to employees to ensure that they comply with the organization’s policy.

Employment law is an extremely complex and evolving area of law. As such, this article cannot adequately address all of the issues that organizations may face when it comes to social media. This post is intended to provide examples of actual cases in an effort to demonstrate the importance of developing a human resources policy that addresses social media use by employees. Unfortunately, employment law relative to social media usage is currently taking shape. As such, it is somewhat difficult to fully define best practices. Regardless, a well thought out approach that incorporates existing best practices with evolving case law will provide for the best protection. Incorporating these practices into the formal written social media policy will provide the best possible protection against claims for unlawful termination.

[This post was edited on December 30, 2010 to add the YouTube videos embedded within.]

Wednesday, December 15, 2010

Social Media and Information Security

Wikipedia defines information security as the process by which information is protected from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. When it comes to the Internet, information is generally secured through mechanisms such as login ID and password. Social media presents significant challenges to ensuring adequate information security not because of the technology but because of the habits of social media users. As described below, social media does not introduce threats that are social media-specific. Instead, social media makes the existing threats more effective because users are less vigilant.

If there is one overall benefit that social media has brought to bear, it is that social media has made us all more open and willing to share. There is much to be said about a society that values trust, openness and sharing. Through social media, users are increasingly sharing more and more of themselves. From family photos to what they’re buying, reading or eating to where they’re currently located as well as what exactly they’re doing there. Prior to social media the world was a place made of personal silos where people were more than satisfied keeping their private lives private. Once social media became broadly adopted the world generally became a more open society. In the grand scheme of human relations, this is surely a positive outcome.

Unfortunately, no good deed goes unpunished. And social media’s effect on society is no exception. While society has become more transparent in its online interactions, social media users have also become too trusting. Since most social media interactions are conducted with trusted parties such as friends, classmates, co-workers and other known persons, social media users tend to lower their guard when interacting on social media platforms. As such, social media platforms have become extremely attractive to criminals that seek to exploit the trusting nature of social media users. Further, the fact that millions of users congregate on these sites daily, provides an attractive return on investment for the criminal element. As a result, social media users are at a greater risk of exposure to the exploits of criminals. Internet security experts at Kaspersky Lab (http://usa.kaspersky.com) believe that malicious code distributed through social media is up to ten times more effective than similar attacks using e-mail.

A social media user’s confidential personal information includes everything from passwords to social security numbers to birth dates to items such as mother’s maiden name. This information is regarded as the Holy Grail to criminals who seek to takeover a user’s identity or account. In today’s digital age, this information is maintained by many organizations, including social media platforms. Through the use of sophisticated software programs such as keyloggers and techniques such as phishing attacks, criminals can easily gain access to the social media credentials (ID and password) of their victims. Once they gain access to a social media account, the criminals may deploy various strategies to carry out their plans. For example, it is commonly known that people use the same password for multiple computer systems. As such, once a criminal has access to a single social media account, the criminal may use the same credentials to attempt to access other social media accounts, online banking accounts, corporate computer systems, etc.

Another approach that may be taken by criminals is to use a hijacked social media account to gain access to other users’ accounts by sending a message from the hijacked account to the accounts of people within the hijacked user’s social network with the intent of tricking those individuals into visiting Web sites that install malicious software utilized to steal the login IDs and passwords. These information security breaches are generally successful for two main reasons – users assuming that messages sent within the social media platforms are legitimate and users not understanding how their actions can be exploited by criminals. While the techniques may differ, the goal is generally the same – to gain access to social media accounts that contain valuable information that the criminals can use for financial gain.

A complete discussion of information security is beyond the scope of this book. What is important to note from the perspective of developing an effective social media policy is that social media poses information security risk just as any other Internet-based application. The ultimate question regarding information security is whether organizations with large workforces can reasonably expect to protect themselves from the criminal element that seeks to exploit social media. The short answer is, “it depends.” Organizations can best protect themselves by not becoming the “low hanging fruit.” Ultimately it comes down to assessing the risk, mitigating the risk, training the staff and monitoring the results. All of which should be described in a formal written social media policy.

Sunday, December 5, 2010

Expectation of Privacy and the Social Media Policy

According to the Fourth Amendment of the United States Constitution, citizens have the right to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures. Therefore, the obvious question that arises with social media is, does the Fourth Amendment provide employees using social media in the workplace with an expectation of privacy? This question is at the center of many legal battles that have recently filled court dockets across the Country – and early reports from the field indicate that social media users should not be expect Fourth Amendment protection.

Social media by name and design is a “social” media. It is not called “private media” for a very specific reason – there is nothing private about it. Regardless of privacy settings and other controls, increasingly courts around the Country are sending the following message to American workers: “employees using social media should not be under the false impression of a right and expectation of privacy in the workplace.” These court cases are concluding that social media in the workplace is not protected by the Fourth Amendment and as such, information contained within social media platforms may be subject to discovery during the legal process as well as part of other procedures such as audits, background checks and similar activities that benefit from the use of information contained on social networks.

The Fourth Amendment provides a “reasonable” expectation of privacy. However, the standard upon which reasonableness is judged depends upon the current standards of society. In today’s open and social media-enabled society, we live our lives more openly and transparently than ever before, sharing everything from our choice of breakfast cereal in the morning to photos of our children to our location in real-time. For the most part, there are fewer and fewer secrets being kept as more and more of us become increasingly comfortable giving up more of our information than ever before. While the evidence does not suggest that every life should be an open book, judicial decisions appear to take a practical approach when it comes to information contained on social media platforms. In other words, employees are not going to be allowed to act to the detriment of an organization and then hide behind a form of social media immunity.

From the organization’s point of view, the assumption of the lack of privacy plays a key role in managing employees’ use of social media within the workplace. Based upon the current direction of case law, it is in every organization’s best interest to disclose the organization’s right to inspect social media-based records to the extent such records originated through the use of the organizational assets, including computers, network infrastructure and company-controlled/owned social media accounts. The social media policy should be clear about its right to monitor social media interactions in real-time (network monitoring), in stored files (caches, temporary files, etc), while on “company time” and using the organization’s equipment. Such a policy statement will assist the organization in defeating opposition to demands for information during the legal process and will provide protection against claims of invasion of privacy. Once the formal written policy is in place, the organization must ensure that employees are informed of the policy and comply with its requirements. Deviation from the written policy may result in questioning whether or not the employee had an expectation of privacy due to “practices” that are inconsistent with the written policy.

In City of Ontario v. Quon, a California police officer had his case ultimately reach the United States Supreme Court when the police officer was verbally told by a supervisor that he indeed did have an expectation of privacy when using for personal use a department-issued digital device – a statement that contradicted the written policy. While a lower court supported Officer Quon’s assertion that his personal electronic messages were protected based upon the verbal assurance, the U.S. Supreme Court eventually determined that the officer did not have an expectation of privacy on the basis that 1) a formal written policy existed, 2) the device used was provided by the police department and as such, the police department had certain rights to monitor appropriate usage of its assets, and, 3) there was no less invasive practical manner of monitoring general activity on the device.

In Romano v. Steelcase, Inc., a New York trial concluded that an employee had no reasonable expectation of privacy regarding information posted on social networks – despite the restricted privacy settings established by the user.

Another important piece of federal legislation that affects organizations’ access to employee information is the Stored Communications Act (“SCA”). The SCA prohibits employers from, among other things, accessing employee accounts maintained by third-party hosts such as social networks. The SCA generally allows organizations to access stored communications such as emails and other information stored within its own computer network. The SCA, however, limits an organization’s ability to access such information (without the employee’s authorization) if it is stored by a third party service provider. A further complication is that even in instances where an employee has granted an employer access to third-party sites, such access may be deemed to be done under duress and as such, a violation of the SCA. As such, experts generally recommend that employers not extend their reach beyond information contained within their systems in order to prevent violations of the SCA.

In drafting this section of the social media policy, organizations should check with their legal departments in order to determine how to best describe an organization’s policy regarding monitoring of social media activities. Further, each organization should work with its legal department to determine the various local, state and federal laws that may be applicable.

Wednesday, December 1, 2010

Social Media and the Recruiting Process

All organizations would like to believe that employees and new hires are smart, capable and masters of common sense. While at times this may be the case, in all cases this is the goal. As such, it is no surprise that so many human resources departments and recruiters, including banks, are considering how to leverage social media to successfully mine it for nuggets of information that will ensure hiring decisions are sound and will result in strong, productive team members.

Yes, social media is a great tool to identify and interact with potential applicants. Yes, social media is a great tool to learn more about applicant’s professional backgrounds, experiences, and goals. And yes, social media provides access to applicant information that is generally not available through the traditional interview process. However, as we have come to learn throughout this book, nothing with social media comes without a cost.

The general consensus among HR professionals is that the extraneous information accessible through social media should not be considered as part of the recruiting process in order to avoid complications in the hiring process that may run afoul of human resources laws. Generally, to the extent that organizations scour social media for recruiting purposes, employers and recruiters should stay focused on capturing and evaluating the information that addresses the applicant’s qualifications and expertise. Reliance on unrelated information can lead to false impressions of applicants, resulting in lost opportunities at hiring qualified candidates as well as possible judgments based on prohibited information. Unless the information suggests highly inappropriate or illegal activity, the information should be dismissed. Everyone is different. Some people have unique and quirky interests and activities that they participate in outside of work. There is nothing wrong with that and it certainly should not be the basis for passing up on an otherwise strong candidate.

To the extent an organization decides to utilize social media as part of the employment process it is wise to provide applicants with written notice that the background check may involve a review of any publicly-available social media sites. Once the disclosure is made it is important to keep any inquiry limited to information that is “publicly available.” In other words, the process should not require that applicants provide passwords to social media sites nor should it require that applicants “friend,” “like” or otherwise grant the organization access to information that would not otherwise be readily accessible. Such demands, besides being extraordinarily invasive, may violate federal and state privacy statutes as well as may lead to violations of “legal activities” laws that may prohibit employers from taking certain actions based on the “personal time” activities of employees and applicants.

The February 2010 issue of Practical Law: The Journal lists the following risks associated with social media usage as part of the recruiting process:

• Discrimination violations due to adverse employment decisions based on protected class information learned through social media.

• National Labor Relations Act ("NLRA") violations due to employment actions inconsistent with the NLRA.

• Violation of the Fair Credit Reporting Act (“FCRA”) and its state equivalents as a result of the use of consumer reports in conducting background checks without providing the required adverse action disclosure.

Based upon the potential legal pitfalls it is essential that bank HR departments establish a formal written social media policy that specifically addresses how social media may be utilized. Further, human resources personnel should be well trained to understand not only the social media policy but also the applicable laws such as the NLRA, FCRA and any other applicable laws, rules and regulations.